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Social  networks  and  media  have  transformed  mobile  device  users  into  human  sensors  that  report  data 
from  remote,  possibly  hard  to  access  areas  of  interest.  For  instance,  the  recent  emergence  of  video 
sharing  sites,  e.g.,  YouTube,  Vine,  has  paved  the  way  toward  citizen  journalism:  people  that  witness 
events  of  public  importance  (e.g.,  conflicts,  protests,  disasters)  are  now  able  to  post  their  records  of 
the  events  and  share  them  with  the  community  at  large.  In  addition,  opinions  posted  on  social 
networks  are  central  to  numerous  aspects  of  people’s  daily  online  and  physical  activities.  Yet,  in 
critical  settings  it  is  especially  difficult  to  ascertain  and  assert  an  acceptable  level  of  trust,  and  current 
technologies  allow  easy  forging,  manipulation  and  fabrication. 

In  this  project  we  have  developed  solutions  to  establish  the  authenticity  and  integrity  of  social  media 
created  on  mobile  devices,  as  well  as  to  secure  the  storage  and  communications  of  the  mobile 
devices.  This  effort  is  of  paramount  importance  to  enable  the  use  of  such  media  for  evidence  and 
intelligence  gathering  purposes.  In  the  following,  we  describe  our  results  on  each  dimension  studied. 


Camera 


Accelerometer 


1.  Mobile  Video  Fraud  Detection 


Similarity  Computation 


Features 


Classification 


We  have  focused  on  detecting  plagiarized 
mobile  videos.  For  instance,  let  us  consider  a 
scenario  where  a  malicious  party  physically 
present  in  the  U.S.  uses  a  mobile  device  to 
"capture"  a  video  of  a  projection  showing 
violence  previously  shot  on  a  different 
continent.  Thus,  in  addition  to  assessing  the 
device,  location  and  time  of  capture,  of 
crucial  interest  is  the  'Tiveness"  dimension 
of  the  problem:  verify  that  data  has  indeed 
been  captured  live  on  a  mobile  device,  and 
has  not  been  fabricated,  e.g.,  using  material 
from  other  sources.  In  the  following,  we 

describe  Movee  and  Vamos,  two  systems  we  have  developed  in  order  to  efficiently  and  securely 


Figure  1 .  Movee  uses  four  modules  to  verify  a  video 
stream:  the  i)  Video  motion  analysis,  and  the  ii) 
Inertial  sensor  motion  analysis,  produce  movement 
estimations  during  capture,  iii)  Similarity 
computation  extracts  features,  which  iv) 
classification  uses  to  make  the  final  decision. 
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identify  plagiarized  videos. 

1.1.  Movee 

We  have  developed  Movee,  a  first  system  that  addresses  the  fundamental  question  of  whether  the 
visual  stream  uploaded  by  a  user  has  been  captured  live  on  a  mobile  device,  and  has  not  been 
tampered  with  by  an  adversary.  Movee,  illustrated  in  Figure  1,  leverages  the  mobile  device  motion 
sensors  and  the  intrinsic  user  movements  during  the  shooting  of  the  video.  Movee  exploits  the 
observation  that  the  movement  of  the  scene  recorded  on  the  video  stream  should  be  related  to  the 
movement  of  the  device  simultaneously  captured  by  the  accelerometer.  Contrary  to  existing 
algorithms,  Movee  has  the  unique  strength  of  not  depending  on  the  audio  track. 


(«) 


Figure  2.  Example  alignment  of  video  and  inertial  motion  streams  extracted  from  the  same 
experiment:  (a)  When  using  only  DTW.  (b)  When  stretching  the  shorter  vector  and  applying  DTW. 
(c)  After  stretching  and  calibration  and  applying  DTW.  Stretching  helps  achieve  a  significant 
alignment  improvement. 


Movee  consists  of  four  modules,  illustrated  in  Figure  1.  The  video  motion  analysis  (VMA)  module 
processes  the  video  stream  captured  by  the  camera.  It  uses  video  processing  techniques  to  infer  the 
motion  of  the  camera,  producing  a  time-dependent  motion  vector.  VMA  is  inspired  by  the  process 
used  in  image  stabilization  capable  cameras.  The  Inertial  sensor  motion  analysis  (IMA)  module 
converts  the  data  signal  captured  from  the  inertial  sensor  into  another  time  dependent  motion  vector. 
The  motion  vectors  produced  by  the  VMA  and  IMA  modules  are  compared  in  the  similarity 
computation  (SC)  module.  SC  relies  on  a  flavor  of  the  dynamic  time  warping  (DTW)  algorithm  to 
compute  the  “similarity”  of  the  two  motion  vectors.  It  also  leverages  stretching  and  calibration 
techniques  in  order  to  address  the  different  frequency  of  capturing  video  and  acceleration  sensors  and 
the  difference  in  motion  pattern  speed  inference  based  on  the  subject’s  distance  to  the  camera.  Figure 
2  illustrates  the  effects  of  DTW,  stretching  and  calibration  steps  on  the  alignment  of  a  video  and 
acceleration  sample.  The  SC  module  also  produces  a  set  of  features  which  summarize  the  nature  of 
the  similarity.  The  features  are  then  used  by  the  classification  module,  which  runs  trained  classifiers 
to  decide  whether  the  two  motion  sequences  corroborate  each  other.  If  they  do,  Movee  concludes  the 
video  is  genuine. 


We  have  implemented  a  Movee  client  using  Android  and  a  server  component  using  C++,  R  and  PHP. 
We  used  the  Open  Source  Computer  Vision  (OpenCV)  library  [7]  for  the  video  motion  analysis.  The 
client  allows  users  to  capture  movies  and  simultaneously  provide  proofs  of  liveness.  We  have  also 
implemented  MoveeG,  a  Movee  app  variant  for  the  Google  Glass,  see  Fig.  8.  We  have  used  the  glass 
development  kit  (GDK)  to  build  MoveeG  as  a  glassware  that  runs  directly  on  Glass  (around  700  lines 
of  code).  MoveeG  starts  and  stops  by  voice  command  or  through  a  tap  based  menu.  Since  the  built-in 
camera  activity  has  limited  functionality,  we  have  built  our  own  logic  with  the  Android  Camera  API 
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[2],  to  capture  videos.  Once  the  video  capture  is  completed,  MoveeG  sends  the  captured  video  and 
accelerometer  streams  to  a  server  over  the  Glass  Wi-Fi  connectivity,  using  HTTP  POST  requests. 


Detailed  Accuracy  Parameters  of  Movee  Glassware  Detailed  Accuracy  Results  of  MoveeG  on  the  Glass 

(Using  Different  Classifiers)  for  All  Three  Attack  Datasets  Cluster  and  Replay  Attack  Datasets 
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"Acc"  denotes  the  accuracy  of  the  classifier.  Random  Forest  achieves  best  accuracy  for  both  cluster  and  replay  attacks. 

Movee  is  more  accurate  on  Glass  than  on  smartphone. 

Figure  3.  Movee  performance  (when  using  various  supervised  learning  algorithms)  on  several  attack 
datasets  built  using  data  collected  from  13  participants,  (left)  on  Samsung  smartphone,  (b)  on  Google 
Glass  device. 

We  have  introduced  novel  attacks  that  focus  on  Movee’s  defenses,  to  fabricate  acceleration  data  that 
mimics  the  motion  observed  in  targeted  videos.  We  have  used  smartphones  and  wearable  smart 
glasses  to  collect  both  genuine  and  attack  data  from  13  users.  Our  experiments  show  that  Movee  is 
able  to  efficiently  detect  human  and  automatically  generated  plagiarized  videos:  Movee’s  accuracy 
ranges  between  68-93  percent  on  a  smartphone,  and  between  76-91  percent  on  a  Google  Glass 
device. 


1.2.  Vamos:  Video  Accreditation 
Through  Motion  Signatures 

We  designed  Movee  to  work  on  6s  long 
video  and  acceleration  samples, 
requiring  the  user  to  pan  the  camera  in 
a  specific  direction  rather  than 
gracefully  accept  the  natural  motion  of 
the  user.  Furthermore,  Movee  is 
vulnerable  to  potent  attacks.  For 
example,  an  attacker  starts  Movee  and 
points  to  a  portion  of  a  target  video 
playing  on  a  projection  screen, 
performs  a  pan  motion  as  specified  by 
Movee,  then  points  the  camera  to  the 
whole  frame  of  the  fraudulent  video. 
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Figure  4.  Illustration  of  the  Vamos  architecture  and 
operation.  Vamos  consists  of  three  steps,  (i)  “chunking” 
divide  the  (video,  acceleration)  sample,  (ii)  chunk  level 
classification,  and  (iii)  sample  level  classification. 


to 


Since  Movee  only  uses  the  initial  6s  chunk,  the  resulting  sample  passes  Movee’s  verifications.  These 
limitations  significantly  impact  the  practical  application  of  Movee.  To  address  these  limitations,  we 
have  designed  Vamos, 


We  introduce  Vamos  (Video  Accreditation  Through  Motion  Signatures)  to  address  these  limitations 
and  provide  the  first  video  liveness  verification  system  that  works  on  unconstrained,  free-form 
videos,  does  not  impose  a  “verification”  step  on  users,  and  is  resilient  to  a  suite  of  powerful,  sensor 
based  attacks.  The  verifications  of  Vamos  leverage  the  entire  video  and  acceleration  sample.  This  is 
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in  contrast  with  Movee,  that  relies  only  on  the  initial  section  of  the  sample.  Vamos  consists  of  the 
process  illustrated  in  Figure  4.  First,  it  divides  the  input  sample  into  equal  length  chunks.  Second,  it 
classifies  each  chunk  as  either  genuine  or  fraudulent.  Third,  it  combines  the  results  of  the  second  step 
with  a  suite  of  novel  features  to  produce  a  final  decision  for  the  original  sample. 

We  introduce  several  chunking  techniques,  including  sequential,  segment  based  and  random.  We 

adapt  Movee  to  provide  an  improved  chunk-level 
classification:  we  use  DTW,  stretching  and 
calibration  features  for  the  projection  of  video  and 
acceleration  streams  on  each  axis,  instead  of  for 
the  overall  samples.  We  introduce  a  suite  of  novel 
features  to  classify  a  whole  samples  as  genuine  or 
fraudulent;  the  features  are  based  on  the  output  of 
the  chunk  level  classification  process  and  on 
aggregates  computed  over  the  chunks. 

We  have  introduced  several  novel  and  powerful 
attacks,  including  manual  “sandwich”  attacks, 
automatic  “clustering”  attacks,  and  hybrid  “stitch” 
attacks.  We  have  proposed  a  novel  classification 
of  mobile  videos  based  on  the  motion  of  the  user  holding  the  device,  the  motion  of  the  camera,  and 
the  distance  between  the  camera  and  the  subject  (12  categories).  We  have  performed  a  user  study 
with  16  participants  from  whom  we  have  collected  160  free  form  video  and  acceleration  samples  of 
30s  each.  We  have  used  this  data  and  these  participants  to  create  datasets  of  attack  data  for  each 
attack  that  we  proposed.  We  have  collected  150  citizen  journalism  videos  from  YouTube  (witnessing 
armed  conflicts  from  Ukraine,  Venezuela,  and  natural  disasters).  Figure  5  shows  the  results  of  manual 
labeling  of  the  videos  according  to  our  12  mobile  video  categories. 


■  1  12  B3  and  7  B4  15  06  B8  B9  El  10  Bll  012 

Categories 


Figure  5.  (a)  Motion  category  distribution  for 
YouTube  dataset,  (b)  Distribution  for  free-form 
dataset.  Table  1  defines  the  12  categories. 


Algo 

TPR(%) 

FPR(%) 

FNR(%) 

Acc(%) 

Maj.  Vote 

91.69 

7.95 

8.31 

91.78 

Prob. 

91.69 

7.95 

8.31 

91.78 

Bagging 

97.35 

5.08 

2.65 

95.53 

Algo 

TPR(%) 

FPR(%) 

FNR(%) 

Acc{%) 

Maj.  Vote 

74.19 

35.83 

25.81 

71.69 

Prob. 

69.95 

32.50 

30.05 

69.34 

Bagging 

83.7 

3.63 

16.3 

93.199 

Figure  6.  (left)  Vamos  accuracy  on  cluster  based  stitch  attack,  (right)  Vamos  accuracy  on  sandwich 
based  stitch  attack.  The  classifier  performs  consistently  better  than  manual  threshold  based 
alternatives.  The  accuracy  of  Vamos  exceeds  93%  even  for  the  new  powerful  attacks  that  we 


Figure  6  shows  the  results  of  Vamos  on  the  powerful  new  attacks  we  introduced.  It  shows  that  Vamos 
achieves  an  accuracy  that  exceeds  93%. 


2.  Securing  Mobile  Device  Storage  and  Communications 


2.1  xRay:  In  VM  Memory  Mining  for  Provenance  Tracking 

KXRay  is  designed  to  detect  the  existence  and  location  of  specific  instances  of  target  data  structure 
types  in  kernel  or  VM  by  observing  memory  accesses  and  training  for  target-specific  timing-based 
signatures.  The  intuition  derives  from  the  idea  that  universal  scheduling  and  process  management 
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invariants  reflect  in  access  patterns  and  can  be  trained  for  efficiently.  Further,  at  function  level, 
entropy  is  determined  by  a  limited  set  of  inputs  and  as  a  result  relative  intra-function  memory 
accesses  may  feature  stability  and  specificity  since  they  are  usually  directly  tied  to  underlying  object 
types.  KXRay  can  be  deployed  to  defeat  kernel  rootkits  that  “hide”  their  associated  processes  from 
existing  snapshot-based  detection  methods. 


Memory  Access  History 


Detection 

Result 


Figure  7.  KXRay  main  framework  overview. 

We  introduce  multiple  signature  variants  and  evaluate  them  for  different  kernel  versions.  In  initial 
results,  trained-for  signatures  are  resilient  across  the  same  major  kernel  version  but  lose  effectiveness 
for  far-  removed  kernel  versions.  KXRay  successfully  detected  previously  undetected  processes 
hidden  by  four  traditional  rootkits.  Online  analysis  of  timing  access  patterns  is  effective  in  detecting 
previously  undetectable  hidden  processes  but  incurs  a  heavy  performance  penalty  which  will  need  to 
be  mitigated  by  specialized  processor  support  or  inter-core  monitoring  software  to  be  acceptable  in 
production. 
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Figure  8.  KXRay  detection  mechanism  details. 
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TrustZone  provides  one  out  of  band  such  monitoring  mechanism  that  we  can  leverage  and  deploy 
inside  the  Secure  World  to  detect  malware  attacking  the  normal  world  kernel  and  applications  and 
thus  protect  any  sensing  code  and  data  streams  running  in  the  normal  world. 


2.2  DroidShield 

We  have  built  DroidShield,  a  system  that  provides  a  new  Android/TrustZone  protection  paradigm 
that  enables  MCloud  to  protect  user-land  application  data  from  all  unauthorized  accesses,  even  those 
originating  from  a  compromised  kernel,  with  the  highest  privilege. 
MCloud  context  data  gathered  by  smartphone  sensors  can  now  be  relayed  correctly  and  with  integrity 
to  its  intended  trusted  MCloud  code. 
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Figure  9.  Simple  attack  example  of  existing  Android  malware  that  leaks  data  even  from  code  running 
in  the  secure  world. 


DroidShield,  provides  protection  against  attacks  such  as  these.  Its  main  goals  are  to  provide  a  number 
of  strong  security  properties  for  logic  running  on  a  protected  smartphone  including 

•  For  user-land  applications 

o  Data  confidentiality  &  integrity 
o  Code  integrity 
o  Secure  I/O  communication 

•  For  Normal  World  Kernel 

o  Code  Integrity 
o  Process  security  data  integrity 

•  For  logic  running  in  the  Secure  World 
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o  Code  &  data  confidentiality 
o  Code  &  data  integrity 
o  Isolation  from  Normal  World  access 
o  No  Secure  World  applications 
o  No  Secure  World  I/O  drivers 


How  can  application  data  be  protected? 


Figure  10.  In  effect  DroidShield  addresses  the  remaining  weak  spots  in  existing  application  data 
protection  mechanisms  to  ensure  user-land  hosted  and  driven  sensor  data  collection  logic  is  not 
compromised. 
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Figure  11.  DroidShield  Architecture  Overview. 

DroidShield  Solution  Summary: 

•  Protect  application  memory  pages  using  Secure  World 

•  Isolate  Secure  World  from  both  I/O  and  Normal  World  access 

•  Minimize  Secure  World  Trusted  Computing  Base 

•  No  vulnerable  OEM  code  in  Secure  World,  that  can  compromise  its  security 

2.1.  SensCrypt 

We  have  reverse  engineered  and  identified  security  vulnerabilities 
in  Fitbit  and  Garmin,  two  popular  and  representative  fitness 
tracker  products.  We  have  built  two  attack  tools,  FitBite  and  Figure  12.  Illustration  of  injection 
GarMax,  and  showed  how  they  inspect  and  inject  data  into  nearby  attack  on  Fitbit  Ultra. 

Fitbit  Ultra  and  Garmin  Forerunner  trackers,  see  Figure  12  for  an 
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illustration.  The  attacks  are  fast,  thus  practical  even  during  brief  encounters.  We  believe  that,  the 
vulnerabilities  that  we  identified  in  the  security  of  Fitbit  and  Garmin  are  due  to  the  many  constraints 
faced  by  solution  providers,  including  time  to  release,  cost  of  hardware,  battery  life,  features, 
mobility,  usability,  and  utility  to  end  user.  Unfortunately,  such  a  constrained  design  process  often 
puts  security  in  the  back  seat. 


We  have  devised  SensCrypt  (see  Figure  13)  a  protocol  for  secure  data  storage  and  communication, 
for  use  by  makers  of  affordable  and  lightweight  sensors.  SensCrypt  thwarts  not  only  the  attacks  we 
introduced,  but  also  defends  against  powerful  JTAG  Read  attacks.  Thus  SensCrypt  provides  defenses 
against  an  attacker  that  can  intercept  and  modify  the  communications  of  sensors  or  that  can  even 
physically  capture  and  access  the  memory  _ 

I  Authentication 


of  sensors.  SensCrypt  leverages  the 
intermittent  connectivity  of  sensors  to  the 
Internet  in  order  to  reset  their  memory  with 
pseudo-random  one  time  pads.  Data 
captured  by  the  sensor  is  then  first 
encrypted  with  a  device  key  before  being 
xor-ed  with  the  one  time  pad,  into  the 
sensor  memory.  Thus,  in  order  to  recover 
sensor  data,  an  attacker  needs  to  not  only 
capture  its  communications,  but  also 
physically  capture  the  device  twice:  once 
before  sensor  data  is  written  on  its  memory, 
and  once  after. 
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Figure  13.  Illustration  of  SensCrypt  Architecture.  The 
sensor  stores  key  material  and  encrypted  data,  which 
can  only  be  accessed  by  an  authenticated  server. 
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Figure  14.  Testbed  for  SensCrypt. 
Sens.io  is  the  Arduino  Uno  device 
equipped  with  Bluetooth  shield  and 
SD  card  is  the  tracker.  Nexus  4  is 
the  base. 


We  have  built  Sens.io,  a  prototype  tracker,  from  off-the  shelves 
components,  see  Figure  14.  It  consists  of  an  Arduino  Uno  Rev3 
and  external  Bluetooth  (Seeeduino  V3.0)  and  SanDisk  card 
shields.  The  Arduino  platform  is  a  good  model  of  resource 
constrained  trackers:  its  ATmega328  micro-controller  has  a  16 
MHz  clock,  32  KB  Flash  memory,  2  KB  SRAM  and  1  KB 
EEPROM.  The  Bluetooth  card  has  a  default  baud  rate  of 
38,400  and  communication  range  up  to  10  m.  Since  the 
Arduino  has  2  KB  SRAM,  it  can  only  rely  on  1,822  bytes  to 
buffer  data  for  transmissions.  The  SD  card  (FAT  16)  can 
be  accessed  at  the  granularity  of  512  byte  blocks.  The  cost  of 
Sens.io  is  $52  ($25  Arduino  card,  $20  Bluetooth  shield,  $2.5 
SD  Card  shield,  $4  SD  card,  see  Fig.  9),  a  fraction  of  Fitbit’s 
($99)  and  Garmin’s  ($299)  trackers. 


We  have  shown  that  on  Sens.io,  SensCrypt  (i)  imposes  a  6  ms 
overhead  on  tracker  writes,  (ii)  reduces  the  end-to-end  overhead  of  data  uploads  to  50  percent  of  that 
of  Fitbit,  and  (iii)  enables  a  server  to  support  large  volumes  of  tracker  communications. 


3.  Fraud  Detection  in  Social  Media 


We  have  developed  solutions  to  identify  fraudulent  behaviors  in  Yelp  and  Google  Play.  In  the 
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following,  we  summarize  our  results  for  each  system. 


3.1  FairPlay:  Detection  of  Search  Rank  Fraud  and  Malware  Apps  in  Google  Play 

We  have  performed  a  detailed  temporal  analysis  of  Google  Play,  Google’s  app  market,  on  data  that 
we  collected  daily  from  160,000  apps,  over  a  period  of  six  months  in  2012.  We  have  discovered  that 
at  most  50%  of  the  apps  are  updated  in  all  categories,  which  significantly  impacts  the  median  price. 
The  average  price  does  not  exhibit  seasonal  monthly  trends  and  a  changing  price  does  not  show  any 
observable  correlation  with  the  download  count.  We  have  also  shown  that  productive  developers  are 
not  creating  many  popular  apps,  but  a  few  developers  control  apps  which  dominate  the  total  number 
of  downloads.  In  addition,  we  have  collected  longitudinal  app  data  from  87,000  apps,  2.9  million 
reviews,  and  2.4  million  reviewers,  over  half  a  year,  between  2014  and  2015. 

We  have  leveraged  this  data  to  develop  FairPlay,  a  novel  system  that  uncovers  both  malware  and 
search  rank  fraud  apps,  by  picking  out  trails  that  fraudsters  leave  behind.  To  identify  suspicious  apps, 
FairPlay’ s  PCF  algorithm  correlates  review  activities  and  uniquely  combines  detected  review 
relation  with  linguistic  and  behavioral  signals  gleaned  from  longitudinal  Google  Play  app  data.  For 
instance,  the  high  cost  of  setting  up  valid  Google  Play  accounts  forces  fraudsters  to  reuse  their 
accounts  across  review  writing  jobs,  making  them  likely  to  review  more  apps  in  common  than  regular 
users.  Resource  constraints  can  compel  fraudsters  to  post  reviews  within  short  time  intervals. 
Legitimate  users  affected  by  malware  may  report  unpleasant  experiences  in  their  reviews.  Ramps  in 
the  number  of  “dangerous”  permissions  requested  by  apps  may  indicate  benign  to  malware  (Jekyll- 
Hyde)  transitions. 
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Figure  15.  (left)  FairPlay  classification  results  (10-fold  cross  validation)  of  gold  standard  fraudulent 
(positive)  and  benign  apps.  RF  has  lowest  FPR,  thus  desirable,  (right)  FairPlay  classification  results 
(10-fold  cross  validation)  of  gold  standard  malware  (positive)  and  benign  apps,  significantly 
outperforming  Sarnia  et  al.  FairPlay’s  RF  achieves  96.1 1%  accuracy  at  1.51%  FPR. 

We  contributed  a  longitudinal  dataset  of  87,  223  freshly  posted  Google  Play  apps  (along  with  their 
2.9  million  reviews,  from  2.3  million  reviewers)  collected  between  October  2014  and  May  2015.  We 
have  leveraged  search  rank  fraud  expert  contacts  in  Freelancer,  anti-virus  tools  and  manual 
verifications  to  collect  gold  standard  datasets  of  hundreds  of  fraudulent,  malware  and  benign  apps. 
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(a)  (b)  (c) 


Figure  16.  (a)  Clique  flagged  by  FairPlay  for  “Tiempo  -  Clima  gratis”,  one  of  201  seed  fraud  apps  we 
identified,  involving  37  reviewers  (names  hidden  for  privacy);  edge  weights  proportional  to  numbers 
of  apps  reviewed  in  common  (ranging  from  115  to  164  apps).  (b  &  c)  Statistics  over  the  372 
fraudulent  apps  detected  by  FairPlay,  out  of  1,  600  investigated:  (b)  Distribution  of  per  app  number 
of  discovered  pseudo  cliques.  93.3%  of  the  372  apps  have  at  least  1  pseudo  clique  of  size  3.  (c) 
Distribution  of  percentage  of  app  reviewers  (nodes)  that  belong  to  the  largest  pseudo  clique  and  to 
any  clique.  8%  of  the  372  apps  have  more  than  90%  of  their  reviewers  involved  in  a  clique! 


We  have  shown  that  FairPlay  achieves  high  accuracy  in  differentiating  between  fraudulent  and 
benign  apps  as  well  as  between  malware  and  benign  apps,  see  Figure  15.  We  have  shown  that  75%  of 
the  identified  malware  apps  engage  in  search  rank  fraud.  FairPlay  discovers  hundreds  of  fraudulent 
apps  that  currently  evade  Google  Bouncer’s  detection  technology,  see  Figure  16  for  an  illustration  of 
those  apps. 


3.2  Marco:  Fraud  Detection  in  Yelp 


While  malicious  behaviors  may  occasionally  be  performed  by  inexperienced  fraudsters,  they  may 


City 

Car  Shop 

Mover 

Spa 

Miami,  FL 

1000  (6) 

348  (8) 

1000  (21) 

San  Fran.,  CA 

612  (59) 

475  (45) 

1000  (42) 

NYC,  NY 

1000  (8) 

1000  (27) 

1000  (28) 

Figure  17.  Venues  identified  by  Marco  as 
fraudulent  (shown  in  red)  out  of  venues  of 
specific  type  in  3  major  US  cities. 


also  be  professionally  organized.  For  example,  search 
engine  optimization  (SEO)  companies  tap  into  review 
writer  markets  to  offer  review  campaigns  or  “face  lift” 
operations  for  business  owners,  to  manipulate  venues’ 
ratings  (1-5  star)  through  multiple,  coordinated 
artificial  reviews.  For  business  owners,  profit  seems  to 
be  the  main  incentive  to  drive  them  to  engage  in 
deceptive  activities.  Studies  have  shown  that  an  extra 


half-star  rating  on  Yelp  causes  a  restaurant  to  sell  out  19%  more  often,  and  a  one-star  increase  leads 


to  a  5-9%  increase  in  revenue. 


We  introduced  Marco  (MAlicious  Review  Campaign  Observer),  a  novel  system  that  leverages  the 
wealth  of  spatial,  temporal  and  social  information  provided  by  Yelp,  to  detect  venues  that  are  targets 
of  deceptive  behaviors.  Marco  exploits  fundamental  fraudster  limitations  to  identify  venues  with  (i) 
abnormal  review  spikes,  (ii)  series  of  dissenting  reviews  and  (iii)  impactful  but  suspicious  reviews. 
Marco  detects  both  venues  that  receive  large  numbers  of  fraudulent  reviews,  and  venues  that  have 
insufficient  genuine  reviews  to  neutralize  the  effects  of  even  small  scale  campaigns.  The  table  in 
Figure  17,  shows  the  ability  of  Marco  to  identify  real  life  fraud  (numbers  shown  in  red)  among 
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venues  of  various  types  in  different  cities. 


3.3  Friend  Spam  Detection  with  Privacy 

Friend  spam,  adversarial  invitations  sent  to  social 
network  users,  exposes  victims  to  a  suite  of  privacy, 
spear  phishing  and  malware  vulnerabilities.  In  this 
project  we  have  proposed  to  use  the  location  history  of 
users  to  detect  friend  spam.  We  posited  that  the  user  trust 
in  friends  is  associated  with  their  co-location  frequency. 
To  evaluate  this  hypothesis,  we  performed  a  user  study 
on  68  participants.  Figure  18  summarizes  our  findings 
that  the  participants  tended  to  be  closer  friends  with,  and 
have  more  involved  topics  of  conversation  with  the 
Facebook  friends  with  whom  they  meet  more  frequently. 

We  have  leveraged  this  result  to  introduce  and  build 
GeoPal,  a  framework  that  carefully  accesses  the 


2.  Friend  Invitation 


PLPj=TT(Vj,  tj),  1=1,2 


Venue  V2 


Client  C 


Client  A 


Figure  17.  GeoPal  architecture.  The  user’s  mobile  device 
privately  captures  and  stores  proofs  of  locations  visited.  The 
collected  proof  history  is  stored  on  the  device  and  used  to 
process  friend  invitations:  privately  prove  past  locations, 
determine  fuzzy  co-location  affinity  with  invited  friends,  and 
detect  current  co-location  with  pending  friends. 

proofs  of  user  past  locations.  We  have  shown  that  GeoPal  is  practical:  a  Nexus  5  can  process  more 
thank  20K  location  proofs  per  second. 


Figurel8.  Distribution  of  types  of  friends 
for  (a)  friend  never  met  in  person  and  (b) 
friends  met  daily  or  weekly,  and  of  the 
topics  of  discussion  for  (c)  friends  never 
met  in  person  and  (d)  friends  met  daily  or 
weekly. 

potentially  sensitive  location  history 
of  users  to  privately  prove  their  past 
location  claims,  and  to  privately 
compute  and  update  fuzzy  co-location 
affinities  with  other  users.  Figure  19 
illustrates  GeoPal:  mobile  devices 
engage  in  protocols  with  venues 
visited  to  privately  retrieve  "tokens”, 
proofs  of  presence  in  a  time  and  space 
point.  The  history  of  tokens  is  then 
used  to  engage  in  privacy  preserving 
protocols  with  prospective  Facebook 
friends,  in  order  to  prove  trust.  We 
have  built  GeoPal  on  PLP,  a  protocol 
we  developed  to  privately  collect 


